Summary

The /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR) / Broken Object Level Authorization (BOLA). An authenticated attacker can modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks.

This results in unauthorized manipulation of user-course relationships and may lead to privilege escalation, data exposure, and integrity compromise, making it a high severity issue.

Details

The application exposes an API endpoint: POST /api/course_rel_users

This endpoint accepts a JSON payload containing a user field:

{
  "user": "/api/users/{user_id}",
  "course": "/api/courses/{course_id}",
  "relationType": 0,
  "status": 5
}

Root Cause:

• The backend trusts user-supplied input for the user field.
• There is no server-side authorization check to verify that:
  • The requester owns the referenced user_id, or
  • The requester has permission to act on behalf of other users.

As a result, attackers can:

• Replace the user ID with another user's ID
• Perform actions (course enrollment) on behalf of that user

Evidence:
From the response:

"user": {
  "@id": "/api/users/5970",
  "username": "jbaker",
  "fullName": "Natheo Ribatto"
}

This confirms that the backend processes and applies the attacker-controlled user reference.

Impact

An attacker can:

• Enroll any user into any course
• Manipulate user-course relationships
• Potentially:
  • Grant unintended access to course materials
  • Bypass enrollment controls
  • Disrupt application integrity

Affected Parties:

• All users of the platform
• Administrators (if privilege boundaries exist via course roles)
• Organization data integrity

Fix

2a9f060 bd2ba34 c9c30cd
or update to v2.0 stable.